The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

The per user Access Control List (ACL) is part of Cisco Identity
networking. Cisco Wireless LAN Solution supports identity networking, which,
while it allows the network to advertise a single SSID, it also allows specific
users to inherit different policies based on their user profiles.

The per user ACL feature provides the ability to apply an ACL
configured on the Wireless LAN Controller to a user based on the RADIUS
authorization. This is accomplished with the Airespace-ACL-Name Vendor Specific
Attribute (VSA).

This attribute indicates the ACL name to be applied to the client. When
the ACL attribute is present in the RADIUS Access Accept, the system applies
the ACL-Name to the client station after it authenticates. This overrides any
ACLs that are assigned to the interface. It ignores the assigned interface-ACL
and applies the new one.

A summary of the ACL-Name Attribute format is shown below. The fields
are transmitted from left to right

In this setup, the Wireless LAN Controller WLC and LAP are used to
provide wireless services to the users in Department A and Department B. All
the wireless users use a common WLAN (SSID) Office to access the network and
are in the VLAN Office-VLAN.

The Cisco Secure ACS server is used to authenticate wireless users. EAP
authentication is used to authenticate users. The WLC, LAP, and Cisco Secure
ACS server are connected with a Layer 2 Switch as shown.

Router R1 connects the servers on the wired side through the Layer 2
Switch as shown. Router R1 also acts as a DHCP server, which provides IP
addresses to wireless clients from subnet 172.16.0.0/16.

You need to configure the devices so that this occurs:

User1 from Department A has access only to server 172.16.1.100

User2 from Department B has access only to server 172.16.1.50

In order to accomplish this, you need to create 2 ACLs on the WLC: one
for User1, and the other for User2. Once the ACLs are created, you need to
configure the Cisco Secure ACS server to return the ACL name attribute to the
WLC upon successful authentication of the Wireless user. The WLC then applies
the ACL to the user, and thus to the network is restricted dependent upon the
user profile.

Note: This document uses LEAP authentication for authenticating users.
Cisco LEAP is vulnerable to dictionary attacks. In real time networks, more
secure authentication methods such as EAP FAST should be used. Since the focus
of the document is to explain how to configure Per User ACL feature, LEAP is
used for simplicity.

The next section provides the step-by-step instruction to configure the
devices for this setup.

Before you configure the per user ACLs feature, you must configure the
WLC for basic operation and register the LAPs to the WLC. This document assumes
that the WLC is configured for basic operation and that the LAPs are registered
to the WLC. If you are a new user, who tries to set up the WLC for basic
operation with LAPs, refer to
Lightweight
AP (LAP) Registration to a Wireless LAN Controller (WLC).

Once the LAPs are registered, complete these steps to configure the
devices for this setup:

In order to create a VLAN for the wireless users, complete these
steps.

Go to the WLC GUI and choose Controller >
Interfaces. The Interfaces window appears. This window lists the
interfaces that are configured on the controller.

Click New in order to create a new dynamic
interface.

In the Interfaces > New window, enter the
Interface Name and the VLAN ID. Then click Apply. In this example, the dynamic
interface is named Office-VLAN, and the VLAN ID is assigned
20.

In the Interfaces > Edit window, enter the IP
address, the subnet mask, and the default gateway for the dynamic interface.
Assign it to a physical port on the WLC, and enter the IP address of the DHCP
server. Then click Apply.

For this example, these parameters are used for the Office-VLAN
interface:

The WLC needs to be configured in order to forward the user credentials
to an external RADIUS server (in this case, the Cisco Secure ACS). The RADIUS
server then validates the user credentials and returns the ACL name attribute
to the WLC upon successful authentication of the wireless user.

Complete these steps in order to configure the WLC for the RADIUS
server:

Choose Security and RADIUS Authentication
from the controller GUI to display the RADIUS Authentication
Servers page. Then click New in order to define a
RADIUS server.

Next, you need to create a WLAN to which the wireless users can
connect. In order to create a new WLAN, complete these steps:

From the Wireless LAN Controller GUI, click WLANs.
This page lists the WLANs that exist on the controller.

Choose New in order to create a new WLAN. Enter
the WLAN ID, Profile Name, and the WLAN SSID for the WLAN, and click
Apply. For this setup, create a WLAN Office.

Once you create a new WLAN, the WLAN > Edit
page for the new WLAN appears. In this page, you can define various parameters
specific to this WLAN that includes General policies, Security, QoS, and
Advanced parameters.

Check WLAN Status under General policies in order
to enable the WLAN. Choose the appropriate interface from the pull-down menu.
In this example, use the interface Office-vlan. The other
parameters on this page can be modified based on the requirement of the WLAN
network.

Under the Security tab, choose the AAA server
sub-tab. Choose the AAA server that is used to authenticate wireless clients.
In this example, use ACS server 10.77.244.196 to authenticate wireless clients.

Choose the Advanced tab. Check Allow AAA
Override to configure user policy override through the AAA on a
wireless LAN.

When AAA override is enabled, and a client has conflicting AAA and
Cisco Wireless LAN controller wireless LAN authentication parameters, then
client authentication is performed by the AAA server. As part of this
authentication, the operating system moves clients from the default Cisco
wireless LAN solution wireless LAN VLAN to a VLAN returned by the AAA server
and predefined in the Cisco Wireless LAN controller interface configuration,
which only happenswhen configured for MAC filtering, 802.1X, and/or WPA
operation. In all cases, the operating system also uses QoS, DSCP, 802.1p
priority tag values and ACL provided by the AAA server, as long as they are
predefined in the Cisco Wireless LAN controller interface configuration.

Choose the other parameters based on the requirements of the
network. Click Apply.

ACL1: In order to provide access to User1 to the server 172.16.1.100
only

ACL2: In order to provide access to User2 to the server 172.16.1.50
only

Complete these steps to configure the ACLs on the WLC:

From the WLC GUI, choose Security > Access Control
Lists. The Access Control Lists page appears. This page lists the ACLs
that are configured on the WLC. It also enables you to edit or remove any of
the ACLs. In order to create a new ACL, click
New.

This page allows you to create new ACLs. Enter the name of the ACL
and click Apply. Once the ACL is created, click
Edit in order to create rules for the ACL.

User1 needs to be able to access server 172.16.1.100 only and must
be denied access to all other devices. For this, you need to define these
rules.

Similarly, you need to create an ACL for User2, which allows User2
access to server 172.16.1.50 only. This is the ACL required for User2.

You have now configured the Wireless LAN Controller for this setup.
The next step is to configure the Cisco Secure Access Control server to
authenticate the wireless clients and to return the ACL Name attribute to the
WLC upon successful authentication.

In order to configure users on the Cisco Secure ACS, complete these
steps:

Choose User Setup from the ACS GUI, enter the
username, and click Add/Edit. In this example, the user is
User1.

When the User Setup page appears, define all
parameters specific to the user. In this example, the username, password,
Supplementary User Information, and the RADIUS attributes are configured
because you only need these parameters for EAP
authentication.

Scroll down until you see the Cisco Airespace RADIUS Attributes
specific to the user. Check the Aire-ACL-Name to enable the
ACS to return the ACL name to the WLC along with the successful authentication
response. For User1, create an ACL User1 on the WLC. Input the ACL name as
User1.

Repeat the same procedure to create User2 as shown here.

Click System Configuration and Global
Authentication Setup in order to ensure that the authentication server
is configured to perform the desired EAP authentication method. Under the EAP
configuration settings, choose the appropriate EAP method. This example uses
LEAP authentication. Click Submit when you are done.

Try to associate a wireless client with the Lightweight AP with LEAP
authentication in order to verify whether the configuration works as
expected.

Note: This document assumes that the client profile is configured for LEAP
authentication. Refer to
Using
EAP Authentication for more information on how to configure the 802.11
a/b/g Wireless Client Adapter for LEAP authentication.

Once the profile for the wireless client is activated, the user is
asked to provide the username/password for LEAP authentication. This is what
happens when User1 tries to authenticate to the LAP.

The Lightweight AP and then the WLC pass on the user credentials to the
external RADIUS server (Cisco Secure ACS) in order to validate the credentials.
The RADIUS server compares the data with the user database and, upon successful
authentication, returns the ACL name configured for the user to the WLC. In
this case, the ACL User1 is returned to the WLC.

The Wireless LAN Controller applies this ACL to User1. This ping output
shows that User1 is able to access only server 172.16.1.100, but not any other
device.

You can use a combination of the show wlan
summary command in order to recognize which of your WLANs employs
RADIUS server authentication. Then you can view the show client
summary command in order to see which MAC addresses (clients) are
successfully authenticated on the RADIUS WLANs. You can also correlate this
with your Cisco Secure ACS passed attempts or failed attempts logs.

Cisco recommends that you test your ACL configurations with a wireless
client in order to ensure that you have configured them correctly. If they fail
to operate correctly, verify the ACLs on the ACL web page and verify that your
ACL changes were applied to the interface of the controller.

You can also use these show commands in order to verify your
configuration:

show acl summary—In order to display the ACLs that
are configured on the controller, use the show acl
summary command.